The present invention related generally to software that controls an operating policy of a computer system. For example, access to various system resources, such as files and network connections may be so controlled.
Modem computer systems are controlled by two levels of software: an operating system and application software. The operating system maintains a separation in the memory of the computer between the operating system, said to execute in operating system space, and the applications, said to execute in applications space.
Applications are the software that provides solutions to business problem, such as processing e-mail messages. Applications perform their work by communicating requests for access to resources such as network connections or files stored on a storage medium to the operating system, which then fills these requests.
It may be desired to control anyone or more of a wide variety of operating policies. One common scenario is to control access to various system resources, as mentioned above, for purposes of securing a system against deliberate and malicious attack or for purposes of ensuring correct and non-interfering operation of various processes. For purposes of illustration, access control for security purposes is discussed. However, the skilled artist will understand that the discussion has wider implications, as explicitly pointed out and as implied in the following discussion.
Referring to the example of security systems, access is conventionally controlled by one or more real-time processes, while policy is independently established with the assistance of one or more non-real-time processes. In the context of this description, a real-time process is one whose action is sufficiently immediate as to imperceptibly affect the speed at which transactions with which the real-time process is connected are processed. A non-real-time process is one that processes transactions at a speed substantially slower than the instantaneous rate at which transactions naturally occur.
Real-time access control processes and data structures include, but are not limited to reference monitors, access control lists, permissions flags, access tokens and process ID checking.
A reference monitor is a component of a computer system that determines whether an access by one component, for example a user process, of another component, for example, a file is permitted.
As used hereinafter, dynamic state is a collection of information, that is collected in real time, indicative of a condition of a machine or process as a result of a particular sequence of events leading to the condition. A stateless system or component is one, which does not collect such data.
Conventional reference monitors, herein referred to as stateless reference monitors, are found in the kernels of various Operating Systems, including, for example, MicroSoft® Windows™ 2000 or UNIX. They are used to determine whether a particular access to a file or other resource is permitted.
Conventional operating systems contain embedded stateless reference monitors to control access to resources. User processes are started and identified to users on the basis of the user supplying certain identity tokens. In most cases the access decision is made based on the identity of the user whose local program or process makes the request and one or more static permissions flags or an access control list associated with the resource. For examples, see Unix or Windows 2000. The contents of static permissions flags and access control lists do not include information representing the current state of the system, but rather include information that produces identical results regardless of the state of the system.
Most conventional reference monitors deals with a single resource type (such as files or network connections). Some, such as eTrust Access Control v.5.1 from Computer Associates, protect multiple resource types.
Some operating systems give finer control by associating individual permissions with each user, and then checking those permissions against the static access control list of the resource. This is an improvement, but typically there are only a limited number of permission flags. Security-Enhanced Linux is an example of such an operating system.
There are operating systems that are even finer grained, and allow individual users to offer a set of tokens, and if any match those found in the access control list, then access is granted.
There are operating environments that can include the origin of the requesting program in their access control decision. For example, see Dan Wallach and Edward Felton, “Understanding Java Stack Inspection”, IEEE Proceedings of Security & Privacy, May 1998.
Non-real-time processes are conventionally employed to collect date and analyze past events in order to establish or modify effective policies, for example security policies. Typical, conventional non-real-time processes include intrusion detection systems, for example.
One type of intrusion detection system is an autonomous agent that polls, monitors and/or periodically mines log files for data indicative of an intrusion. A drawback of such non-real-time systems is that intrusions are only detected “after the fact.” The intruder leaves an audit trail of actions recorded in log files and elsewhere for which the only reasonable explanation is an intrusion. However, by the time such a non-real-time intrusion detection system identifies an intrusion, the intruder is long gone and damage done.
For examples, see Peter G. Neumann and Phillip A. Porras, “Experience with EMERALD to Date”, 1st USENIX Workshop on Intrusion Detection and Network Monitoring, April 1999; Eugene Spafford et al. “Intrusion detection using autonomous agents” Computer Networks 34 (2000); and Steven R. Snapp et al., “DIDS (Distributed Intrusion Detection System)—Motivation, Architecture, and An Early Prototype”, Proceedings of the 14th National Computer Security Conference, October 1991.
The analysis performed by intrusion detection systems such as have been described or referred to above is useful for developing policies to be enforced by real-time components, such as also described above. For example, there are reference monitors who can follow more complex rules based on patterns mined by an intrusion detector from past behavior, but they cannot update their state on each controlled request. For example, see Debra Anderson et al., “Next-generation Intrusion Detection Expert System (NIDES) A Summary”, SRI International, May 1995.
The rise of network computing, with the attendant dangers of remote hackers, renders the access control decision more difficult. Most systems base their access control decisions on the identity of the local requesting program which is tied to a particular user, as noted above, and not on the presumably unknown identity of the remote hacker.
Moreover, conventional systems constructed of obvious combinations of the foregoing do not detect or control access based on pattern of behavior that cross the lines between diverse users, processes, access types, etc. Conventional systems constructed of obvious combinations of the foregoing do not adjust policies dynamically, in real-time, in response to newly experienced threats.
Conventional systems suffer from a lack of dynamic state inherent to stateless reference monitors, and that they are not very resilient in the face of local application programming errors through which a remote attacker can subvert a trusted local program. Application programming errors, i.e., bugs, will always continue to exist as the programmers are fallible and the testing cannot reasonably anticipate all manner of malicious attacks.
When conventional reference monitors are used, once an attacker has managed to subvert a local application, the attacker typically has all the rights and privileges of that application. In the case of an e-commerce server, this may include the ability to look at transaction histories and the associated credit card information.
Finally, as already discussed above, conventional systems cannot detect and react to attacks in which diverse parts of the attack are performed by seemingly normal operations of diverse programs or processes, that only form the attack when taken in combination.